aboutsummaryrefslogtreecommitdiff
path: root/ratatoeskr
diff options
context:
space:
mode:
Diffstat (limited to 'ratatoeskr')
-rw-r--r--ratatoeskr/backend.php14
-rw-r--r--ratatoeskr/frontend.php32
-rw-r--r--ratatoeskr/sys/Esc.php22
-rw-r--r--ratatoeskr/sys/translation.php4
-rw-r--r--ratatoeskr/sys/utils.php18
5 files changed, 59 insertions, 31 deletions
diff --git a/ratatoeskr/backend.php b/ratatoeskr/backend.php
index c050922..df1ea5b 100644
--- a/ratatoeskr/backend.php
+++ b/ratatoeskr/backend.php
@@ -9,6 +9,8 @@
* See "ratatoeskr/licenses/ratatoeskr" for more information.
*/
+use r7r\cms\sys\Esc;
+
require_once(dirname(__FILE__) . "/sys/models.php");
require_once(dirname(__FILE__) . "/sys/pwhash.php");
require_once(dirname(__FILE__) . "/sys/textprocessors.php");
@@ -269,7 +271,7 @@ function build_backend_subactions()
call_user_func($cb, $article);
}
$ste->vars["article_editurl"] = urlencode($article->urlname) . "/" . urlencode($editlang);
- $ste->vars["success"] = htmlesc($translation["article_save_success"]);
+ $ste->vars["success"] = Esc::esc($translation["article_save_success"]);
} catch (AlreadyExistsError $e) {
$fail_reasons[] = $translation["article_name_already_in_use"];
}
@@ -305,7 +307,7 @@ function build_backend_subactions()
call_user_func($cb, $article);
}
$ste->vars["article_editurl"] = urlencode($article->urlname) . "/" . urlencode($editlang);
- $ste->vars["success"] = htmlesc($translation["article_save_success"]);
+ $ste->vars["success"] = Esc::esc($translation["article_save_success"]);
} catch (AlreadyExistsError $e) {
$fail_reasons[] = $translation["article_name_already_in_use"];
}
@@ -700,9 +702,9 @@ function build_backend_subactions()
if ($imageaction == "markdown") {
$ste->vars["embed_code"] = "![" . str_replace("]", "\\]", $_POST["img_alt"]) . "](%root%/images/" . str_replace(")", "\\)", urlencode($image->get_filename())) . ")";
} elseif ($imageaction == "html") {
- $ste->vars["embed_code"] = "<img src=\"%root%/images/" . htmlesc(urlencode($image->get_filename())) . "\" alt=\"" . htmlesc($_POST["img_alt"]) . "\" />";
+ $ste->vars["embed_code"] = "<img src=\"%root%/images/" . Esc::esc(urlencode($image->get_filename())) . "\" alt=\"" . Esc::esc($_POST["img_alt"]) . "\" />";
} elseif ($imageaction == "ste") {
- $ste->vars["embed_code"] = "<img src=\"\$rel_path_to_root/images/" . htmlesc(urlencode($image->get_filename())) . "\" alt=\"" . htmlesc($_POST["img_alt"]) . "\" />";
+ $ste->vars["embed_code"] = "<img src=\"\$rel_path_to_root/images/" . Esc::esc(urlencode($image->get_filename())) . "\" alt=\"" . Esc::esc($_POST["img_alt"]) . "\" />";
}
}
@@ -1617,7 +1619,7 @@ function build_backend_subactions()
$ste->vars["success"] = $translation[$newstatus ? "plugins_activated" : "plugins_deactivated"];
if (!empty($api_incompat)) {
- $ste->vars["error"] = htmlesc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["could_not_activate_plugin_api_incompat"]));
+ $ste->vars["error"] = Esc::esc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["could_not_activate_plugin_api_incompat"]));
}
}
@@ -1679,7 +1681,7 @@ function build_backend_subactions()
}
if (!empty($api_incompat)) {
- $ste->vars["notice"] = htmlesc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["plugins_incompat"]));
+ $ste->vars["notice"] = Esc::esc(str_replace("[[PLUGINS]]", implode(", ", $api_incompat), $translation["plugins_incompat"]));
}
echo $ste->exectemplate("/systemtemplates/pluginlist.html");
diff --git a/ratatoeskr/frontend.php b/ratatoeskr/frontend.php
index 473ed8a..eb62378 100644
--- a/ratatoeskr/frontend.php
+++ b/ratatoeskr/frontend.php
@@ -9,6 +9,8 @@
* See "ratatoeskr/licenses/ratatoeskr" for more information.
*/
+use r7r\cms\sys\Esc;
+
require_once(dirname(__FILE__) . "/sys/utils.php");
require_once(dirname(__FILE__) . "/languages.php");
require_once(dirname(__FILE__) . "/sys/models.php");
@@ -110,8 +112,8 @@ function article_transform_ste($article, $lang)
return [
"id" => $article->get_id(),
"urlname" => $article->urlname,
- "fullurl" => htmlesc("$rel_path_to_root/$lang/{$a_section->name}/{$article->urlname}"),
- "title" => htmlesc($article->title[$lang]->text),
+ "fullurl" => Esc::esc("$rel_path_to_root/$lang/{$a_section->name}/{$article->urlname}"),
+ "title" => Esc::esc($article->title[$lang]->text),
"text" => textprocessor_apply(str_replace("%root%", $rel_path_to_root, $article->text[$lang]->text), $article->text[$lang]->texttype),
"excerpt" => textprocessor_apply(str_replace("%root%", $rel_path_to_root, $article->excerpt[$lang]->text), $article->excerpt[$lang]->texttype),
"custom" => $article->custom,
@@ -146,7 +148,7 @@ function comment_transform_ste($comment)
return [
"id" => $comment->get_id(),
"text" => $comment->create_html(),
- "author" => htmlesc($comment->author_name),
+ "author" => Esc::esc($comment->author_name),
"timestamp" => $comment->get_timestamp(),
"__obj" => $comment
];
@@ -449,9 +451,9 @@ $ste->register_tag("comment_form", function ($ste, $params, $sub) {
$previewbtn = $ste->evalbool(@$params["previewbtn"]) ? " <input type=\"submit\" name=\"preview_comment\" value=\"{$translation["comment_form_preview"]}\" />" : "";
if ($ste->evalbool(@$params["default"])) {
- $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . htmlesc(@$_POST["author_name"]) . "\" /></p>
-<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . htmlesc(@$_POST["author_mail"]) . "\" /></p>
-<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . htmlesc(@$_POST["comment_text"]) . "</textarea></p>
+ $form_body = "<p>{$translation["comment_form_name"]}: <input type=\"text\" name=\"author_name\" value=\"" . Esc::esc(@$_POST["author_name"]) . "\" /></p>
+<p>{$translation["comment_form_mail"]}: <input type=\"text\" name=\"author_mail\" value=\"" . Esc::esc(@$_POST["author_mail"]) . "\" /></p>
+<p>{$translation["comment_form_text"]}:<br /><textarea name=\"comment_text\" cols=\"50\" rows=\"10\">" . Esc::esc(@$_POST["comment_text"]) . "</textarea></p>
<p><input type=\"submit\" name=\"post_comment\" value=\"{$translation["comment_form_submit"]}\" />$previewbtn</p>";
} else {
$ste->vars["current"]["oldcomment"] = [
@@ -501,7 +503,7 @@ $ste->register_tag("page_prev", function ($ste, $params, $sub) {
parse_str(parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY), $query);
$query["page"] = $params["current"] - 1;
$url = $_SERVER["REDIRECT_URL"] . "?" . http_build_query($query);
- return "<a href=\"" . htmlesc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_prev"] : $sub($ste)) . "</a>";
+ return "<a href=\"" . Esc::esc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_prev"] : $sub($ste)) . "</a>";
});
$ste->register_tag("page_next", function ($ste, $params, $sub) {
@@ -520,7 +522,7 @@ $ste->register_tag("page_next", function ($ste, $params, $sub) {
parse_str(parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY), $query);
$query["page"] = $params["current"] + 1;
$url = $_SERVER["REDIRECT_URL"] . "?" . http_build_query($query);
- return "<a href=\"" . htmlesc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_next"] : $sub($ste)) . "</a>";
+ return "<a href=\"" . Esc::esc($url) . "\">" . (($ste->evalbool(@$params["default"])) ? $translation["page_next"] : $sub($ste)) . "</a>";
});
/*
@@ -571,8 +573,8 @@ $ste->register_tag("languages", function ($ste, $params, $sub) {
foreach ($langs as $lang) {
$ste->set_var_by_name($params["var"], [
"short" => $lang,
- "fullname" => htmlesc($languages[$lang]["language"]),
- "url" => htmlesc("$rel_path_to_root/$lang/" . implode("/", array_slice($ste->vars["current"]["url_fragments"], 1)))
+ "fullname" => Esc::esc($languages[$lang]["language"]),
+ "url" => Esc::esc("$rel_path_to_root/$lang/" . implode("/", array_slice($ste->vars["current"]["url_fragments"], 1)))
]);
$output .= $sub($ste);
}
@@ -613,11 +615,11 @@ $ste->register_tag("styles_load", function ($ste, $params, $sub) {
}
}
}
- $output = "<style type=\"text/css\">\n" . htmlesc($output) . "</style>";
+ $output = "<style type=\"text/css\">\n" . Esc::esc($output) . "</style>";
} else {
$output = "";
foreach ($ste->vars["current"]["styles"] as $stylename) {
- $output .= "<link rel=\"stylesheet\" type=\"text/css\" href=\"$rel_path_to_root/css.php?name=" . htmlesc($stylename) . "\" />\n";
+ $output .= "<link rel=\"stylesheet\" type=\"text/css\" href=\"$rel_path_to_root/css.php?name=" . Esc::esc($stylename) . "\" />\n";
}
}
return $output;
@@ -636,10 +638,10 @@ $ste->register_tag("styles_load", function ($ste, $params, $sub) {
$ste->register_tag("title", function ($ste, $params, $sub) {
$pagetitle = $sub($ste);
if (isset($ste->vars["current"]["article"])) {
- return "<title>" . htmlesc($ste->vars["current"]["article"]["title"]) . " – $pagetitle" . "</title>";
+ return "<title>" . Esc::esc($ste->vars["current"]["article"]["title"]) . " – $pagetitle" . "</title>";
}
if (isset($ste->vars["current"]["section"])) {
- return "<title>" . htmlesc($ste->vars["current"]["section"]["title"]) . " – $pagetitle" . "</title>";
+ return "<title>" . Esc::esc($ste->vars["current"]["section"]["title"]) . " – $pagetitle" . "</title>";
}
return "<title>$pagetitle</title>";
});
@@ -811,7 +813,7 @@ function frontend_url_handler(&$data, $url_now, &$url_next)
call_user_func($validator);
}
} catch (CommentRejected $e) {
- $ste->vars["current"]["comment_fail"] = htmlesc($e->getMessage());
+ $ste->vars["current"]["comment_fail"] = Esc::esc($e->getMessage());
$rejected = true;
}
if (!$rejected) {
diff --git a/ratatoeskr/sys/Esc.php b/ratatoeskr/sys/Esc.php
new file mode 100644
index 0000000..eaefc10
--- /dev/null
+++ b/ratatoeskr/sys/Esc.php
@@ -0,0 +1,22 @@
+<?php
+
+
+namespace r7r\cms\sys;
+
+class Esc
+{
+ public const HTML = 1;
+ public const NL2BR = 2;
+ public const HTML_WITH_BR = self::HTML | self::NL2BR;
+
+ public static function esc(string $s, int $flags = self::HTML): string
+ {
+ if ($flags & self::HTML) {
+ $s = htmlspecialchars($s, ENT_QUOTES, "UTF-8");
+ }
+ if ($flags & self::NL2BR) {
+ $s = nl2br($s);
+ }
+ return $s;
+ }
+}
diff --git a/ratatoeskr/sys/translation.php b/ratatoeskr/sys/translation.php
index fd494c1..0679ca7 100644
--- a/ratatoeskr/sys/translation.php
+++ b/ratatoeskr/sys/translation.php
@@ -9,6 +9,8 @@
* See "ratatoeskr/licenses/ratatoeskr" for more information.
*/
+use r7r\cms\sys\Esc;
+
require_once(dirname(__FILE__) . "/utils.php");
require_once(dirname(__FILE__) . "/init_ste.php");
@@ -28,7 +30,7 @@ if (!defined("TRANSLATION_PLUGIN_LOADED")) {
return "";
}
$rv = $translation[$params["for"]];
- return (!empty($params["raw"])) ? $rv : htmlesc($rv);
+ return (!empty($params["raw"])) ? $rv : Esc::esc($rv);
}
);
define("TRANSLATION_PLUGIN_LOADED", true);
diff --git a/ratatoeskr/sys/utils.php b/ratatoeskr/sys/utils.php
index a285bcd..8a848eb 100644
--- a/ratatoeskr/sys/utils.php
+++ b/ratatoeskr/sys/utils.php
@@ -22,6 +22,9 @@
*
* An array with $val $n-times repeated.
*/
+
+use r7r\cms\sys\Esc;
+
function array_repeat($val, $n)
{
$rv = [];
@@ -40,19 +43,16 @@ function intcmp($a, $b)
return ($a == $b) ? 0 : (($a < $b) ? -1 : 1);
}
-/*
- * Function: htmlesc
+/**
* Escape HTML (shorter than htmlspecialchars)
*
- * Parameters:
- * $text - Input text.
- *
- * Returns:
- * HTML
+ * @param mixed $text Input text
+ * @return string HTML
+ * @deprecated Use {@see Esc::esc()} instead.
*/
-function htmlesc($text)
+function htmlesc($text): string
{
- return htmlspecialchars($text, ENT_QUOTES, "UTF-8");
+ return Esc::esc($text);
}
/*